Cyber security is a constant threat to your law firm

Jonathan Ashley of etiCloud on how prevention is the best defence when it comes to keeping your company safe from cyber attacks

‘Cyber security breaches and attacks remain a common threat.’ – Cyber Security Breaches Survey 2024, Department for Science, Innovation and Technology and the Home Office.

Back in April, the government issued its annual Cyber Security Breaches Survey. The statistics contained in the survey should come as no surprise to any of us, since not a week seems to go by without the media reporting on a cyber breach or attack. This year’s figures revealed that half of UK businesses (50%) and around a third of charities (32%) reported having experienced some form of cyber security breach or attack in the last 12 months. This figure was much higher for medium businesses (70%), large businesses (74%) and high-income charities with £500,000 or more in annual income (66%).

Delving further into the survey, I read that 84% of small businesses now regard cyber security as a high priority. However, only four in ten companies have actually reached outside of their business for independent support or guidance. Also, while there has been a small increase in good cyber hygiene practices such as executing a phishing policy or reviewing malware protection, only 31% of businesses have undertaken a cyber security audit. What’s more, only one in ten has reviewed cyber risks posed by suppliers.

7.78 million business cyber crimes committed

Of those businesses that reported a cyber breach in the last 12 months, 44% then experienced some form of cyber crime. Indeed, the survey estimated that 7.78 million business cyber crimes were effected in the past year. Furthermore, of those companies that suffered a cyber breach, only 19% gave staff additional training and only 17% updated existing anti-malware software.

Analysing the contents of the survey only points to one conclusion: there is a constant threat to business, irrespective of size, sector or location. As such, I wanted to address what, as a UK law firm, you can do to protect your company, your staff and your clients from adding to the statistics in next year’s survey.

Start with the squishy ones

Whenever he gets the chance, our cloud director points out that best practice cyber security always starts ‘with the squishy person in front of the computer’. And he’s right. However, since the majority of cyber breaches are indeed the result of human error or misjudgement, the good news is that they can be averted by adopting a variety of processes and protocols. As such, company-wide vigilance and training are absolutely essential when it comes to avoiding a cyber attack of any kind. In fact, get this right and the National Cyber Security Centre, in a recent study, stated that you can eradicate up to 83% of attacks.

Giving your employees the necessary tools and knowledge to identify a potential cyber breach is relatively straightforward to implement. Team up with a certified training provider who specialises in cyber security training and run a specific programme for your entire workforce, even those who rarely use a computer. Absolutely everyone in your company needs to be able to spot the signs of an attempted hack or phishing email and understand the process of flagging it so it can be dealt with immediately. Prevention really is better than cure.

Training and vigilance are key to preventing cyber attacks

Cyber security training should never be a one-off exercise. It should form a key part of your firm’s CPD programme and annual training schedule. Such training can also be complemented by random ‘live’ security exercises – carry out a staged ‘live cyber attack’ and watch and evaluate how employees respond – and ‘real-life’ story telling of businesses that have succumbed to an attack. At the same time, I highly recommend that every company gains the National Cyber Security Centre’s Cyber Essentials certification on an annual basis. This certification will help you to guard against the most common types of cyber attack and demonstrate your commitment to cyber security.

You and your people are your company’s front-line defence against these attackers. If they have the correct training and knowledge required, cyber attacks can be all but nipped in the bud. Make sure they’re fully equipped and remain vigilant at all times, even on a Friday night in the pub when you’re checking your emails on your mobile – yes, we have had an account take-over attempt that started this way – and you’ll stand the best chance of remaining a step ahead of the criminals.

Next generation security products – they’re now very affordable!

Over the last few years, my team and I have been doing an awful lot of work to review security in the current age. One of the biggest milestones in this area is the improved affordability of what are commonly referred to as ‘next generation security’ or ‘Extended Detection Response’ (XDR) products. Once the sole reserve of large, multinational businesses with vast IT budgets, it’s now far more affordable and, therefore, accessible to companies that have a rather more conservative amount to invest in their IT.

XDR is a cyber security technology that is specifically designed to monitor and mitigate cyber security threats. It does this by integrating several concepts into one single solution.

It essentially works by gathering and correlating data across a variety of network points including servers, email, cloud workloads and endpoints. The data is analysed and compared to provide visibility and context which then reveals advanced threats which can be prioritised and mitigated to prevent security collapses and data loss. This, in turn, enables a company to create a much higher level of cyber awareness and allows IT teams to identify and eliminate security vulnerabilities.

We’ve kept a very close eye on the development and uptake of XDR as we’ve wanted to implement it for the 200+ law firms we work with. And I’m delighted to say that we are providing both SentinelOne and Barracuda XDR Managed Endpoint as part of our standard offering. In doing so, firms are now more secure at their most vulnerable points (staff and staff devices as highlighted above!) AND we are still 30% cheaper than our competition AND we provide much higher levels of support.

When did you last conduct a cyber security audit?

It’s a question we ask every potential client and, more often than not, the response is: ‘I’m not entirely sure, let me check with IT.’

A cyber security audit primarily covers your firm’s IT systems. This includes its infrastructure, the software deployed, and devices used by employees. However, this is only one aspect of information security, and a comprehensive assessment won’t be limited to technical resilience. It will also assess:

• Data security: network access controls, data encryption and the way sensitive information moves through the organisation
• Operational security: information security policies, procedures and controls
• Network security: network controls, antivirus configurations and network monitoring
• System security: patching, privileged account management and access controls

Each aspect of the audit will ensure that the relevant controls are in place, optimised and implemented in line with regulatory requirements. That’s why, if you’re one of those firms that’s not certain when it last conducted a cyber security audit, it’s imperative that you do so as a matter of priority.

Our security specialists are highly adept at carrying out a cyber security audit. In a matter of hours and with zero disruption to your business, they compile a report covering each of the above audit areas. Accompanying this will be a description of the findings during the audit and the recommendations to remediate or improve the area in question. We will also make present the report’s findings to you and your stakeholders in plain language so that your management board and members will be fully aware of your security posture without any technical jargon complicating the matter.

Don’t hesitate. Focus on cyber security today

There are hundreds of cyber attacks taking place at a low level as you read this article. This unprecedented amount of cyber threat activity is happening behind the scenes and it is being managed very effectively. The activity is increasing daily so our goal is to look at security products that can help pinpoint which are the important threats so they can be addressed and mitigated fast. Please note that this isn’t meant as fearmongering. It is meant to highlight the fact that cyber threats and crime are becoming much more sophisticated so, we must all constantly strive to improve the level of protection applied.

The next generation of cyber security products are utilising AI to collect data on a global scale and analyse this data to spot trends and identify where time and effort should be spent. This dedicated monitoring and management of security takes out all the guesswork and allows us to prevent and learn from cyber attacks. Ultimately it means we’re able to better protect customers and remediate situations immediately before they become much more difficult to deal with.

Combine XDR products with an ongoing staff training programme on cyber security, achieving Cyber Essentials accreditation and conducting a cyber security audit, and you’ll go a very long way to mitigating the constant threat to your law firm. I guarantee, you won’t regret it.